I use THC-Rut from http://www.thc.org/download.php?t=r&f=thcrut-1.2.5.tar.gz to do a quick scan and OS guess. I have to slow it down a little or it tends to miss some hosts (by default it scans 5000 hosts in parallel). So I do something like this: # thcrut discover -O -l 256 10.0.0.0/16 > thcrut-output.log The output of thcrut looks like this: Host: 10.0.4.23 Windows Host: 10.0.4.30 Windows NT 4.0 Host: 10.0.4.34 Windows XP ... I use a perl script to pull out the Windows systems. sub GetIP { open(IPFILE,"<thcrut-output.txt"); $#IPList = -1; foreach $line (<IPFILE>) { ($IP,$OS) = ($line =~ m/Host: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) (.*)/); if ($OS =~ m/^Windows/) { push(@IPList,$IP); } # end of if it is likely a Windows system } # end of foreach line in the file close(IPFILE); } # end of sub GetIP I don't do this part, but you could then take the IP addresses and send them to a text file. Then run nmap against the IP addresses saving the results in another file. Run nessus with the results file from nmap and it should only be targetting your Windows systems. Or you could just import the IP addresses straight into nessus and let nessus run nmap for you.
-Jason -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonathan C. Detert Sent: Thursday, April 01, 2004 10:31 PM To: [EMAIL PROTECTED] Subject: how to make nessus only consider hosts it believes to be running a Ms.Win* o.s. ? Hello All, I'm scanning my employer's network with the hopes of limitting viral outbreaks by identifying vulnerable Ms.Windows machines, and denying them dhcp service. My problem is that my employer's network also has *BSD, MacOS, and Linux machines, but I don't want to deny those machines dhcp service, even if they have vulnerabilities, because I'm not worried about them spreading virii. If I limit the plugins used in my scans to the 'Windows' family, then I miss some plugins that I would like to use against Ms.Windows machines, such as 11412, which is titled 'IIS : WebDAV Overflow (MS03-007)', and which belongs to the 'Gain root remotely' family. But, if I enable the 'Gain root remotely' family, then I also enable plugins that would be applicable to those o.s.'s that I don't want to scan. So, is there a way to instruct nessus to only 'attack' hosts which it believes are 'Ms.Win*' hosts? Or at least, to not 'attack' hosts which it believes are not Ms.Win* hosts? Thanks -- Happy Landings, Jon Detert IT Systems Administrator, Milwaukee School of Engineering 1025 N. Broadway, Milwaukee, Wisconsin 53202 _______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus ------------------------------------------------------------------------------ Confidentiality notice: This e-mail message, including any attachments, may contain legally privileged and/or confidential information. If you are not the intended recipient(s), or the employee or agent responsible for delivery of this message to the intended recipient(s), you are hereby notified that any dissemination, distribution, or copying of this e-mail message is strictly prohibited. If you have received this message in error, please immediately notify the sender and delete this e-mail message from your computer. ============================================================================== _______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
